How to Make the WordPress Login Cookie Last Longer Than Two Weeks

30 June 2008, 9:10 am

One thing I loathe about WordPress 2.5 is login cookies only last two weeks. So every two weeks I get prompted to login again. It is extremely disruptive to have to log in again, when just a few hours earlier I was logged in. The cookie logic should be tweaked that if you haven’t logged in over the past two weeks, then (maybe) the cookie should expire. but if I was allowed to work on the blog yesterday, why should I need to log in again today. The two week window should not be based on when I first logged in, but on when I last did administrative functions while logged in.

There aren’t any plugin hooks to the cookie setting functions of WordPress 2.5. But you can edit line number 547 of pluggable.php (which is under wp-includes of your WordPress installation) to lengthen the amount of time a cookie is stored for. Simply change the number at the end of the line
$expiration = $expire = time() + 1209600;
to ever how many seconds you want the cookie to be good for.

Once you’ve made that change, log out (in the top right of the administrative area) and then log in again to create the new cookie with the longer login time. Or simply wait two weeks for your cookie to expire, and then the next time you login, you’ll be all set.

Yes, I can see how this might be a security issue, since an attacker may stay logged in for a long time, and get past any system upgrades. (A system upgrade though should wipe any stored logins. Which doesn’t appear to be possible currently, since the cookie doesn’t store which version of WordPress the cookie is good for.) Or if your machine is compromised, your blog can be compromised. But generally, if that happens, you’re screwed anyways. So in this instance, ease of use is trumping security for me.

If you're new here, you may want to subscribe to my RSS feed. This allows you to read my newer articles without having to visit the site again. Thanks for visiting! Mike

25 Comments

Thanks Mike, WP has been doing my head in ever since I installed it as a “little extra” something for my site and my visitors. You have answered the question that has been bugging me for ages, as I really dislike WP’s auto sense of cookie time.

Yeah, I experienced this kind of ‘problem’ as well, but didn’t have a clue how to change that until I accidentally bumped into your solution. I am going to implement this tonight. May I thank you for this post? Thanks. It will help me.

I see that this post it a bit older…I’m using WordPress 3.1 and don’t even think my login cookies last even 2 weeks. Is this fix still valid for the later versions of WordPress? Many thanks for the help!

Yes, this method still works as of WordPress version 3.1. Simply search the pluggable.php file in the wp-includes folder for the value “1209600” and change that to a bigger number, such as one of the ones I list above. Then the next time you login, the cookie will be set for a longer period of time.

In updating a site for a friend to fix this log-in issue I must have deleted or moved a line of code because his site is hammered now, and I can’t see or figure out where the code got messed up. Of course he does not have a recent back-up so I am panicked on how to get the site back to normal. He hosts with HostMonster and they have been no help. The most recent back up they had is just too old to be of any help. Any ideas?

Hi Michael, in response to your reply to Ray, you advice helped me solve another problem I had with one of the other files. I had messed up some code and was playing around with it for ages and couldn’t get it right. All the time i was stressing about getting it fixed, when the simplest fix is as you mentioned, simply upload and overwrite the faulty file.

this is a learning for me indeed..this would help a lot in my attempt of succeeding in making wordpress..i know that i am a newbie, but after going thru this blog, i think and i believed that i can do it!

Thanks for this info. I have always been so annoyed about having to log in again after two weeks in my wordpress account whereas, I have been online everyday. And yes, the “keep me logged in” period should be based on the last time that you have actually logged in and not on the first time that you’ve had. Well, I know this works in WP 2.5, right? But how about for the new version? Does somebody have additional tips? It would be greatly appreciated.
— Casey Miller

Many will find this a security issue, It however depends on your blogs popularity and damage it can be done if someone unauthorized gets access. Not that many strangers will actually sit in front of your private computer. There is one bad thing about it tho, if you have a unique password for your WordPress admins page, you will most likely forget it in a while if you haven’t been asked to type it in.

This is a great tip. It is definitely annoying to have to re-login so often. Did the recent update to WordPress (version 3+) address this issue. I simply save/store my passwords on the PC so it’s easy to just log back in when it prompts you, but I’m glad to now know that I can adjust the setting to delay “timeouts”.

Hi Jake, No, that is not possible. It’s just the way that cookies work. If you look at your cookies in your browser you’ll see the expiration date. I don’ know how each browser stores that information. It might be possible to manually tweak the expiration date of a cookie, but that’s a hassle.

It would be a major security problem if a web site could manipulate cookies without having to set them again. And if you are extending the amount of time a WordPress login cookie is valid for, you should want your user to have to login with their username and password.

Hi Michael, I was thinking that if i could read the cookie, store it’s contents in a variable, delete the existing cookie, and set a new cookie with details from the variable and with an extended expiry date, it may work? Right now, I’m trying to figure out how to read the contents of the cookie, and get them to echo out just to see what it puts out. Is there a function i need to call or is all the cookie information stored in a variable already?

I’d guess you may be able to write a plugin that would change the login cookie. I’ve never played with manipulating cookies before, nor have I looked in the hooks that are available within WordPress for cookie manipulation. Sorry I can’t be of more help. You’re right though, it may be possible. To be honest though, I don’t quite understand what problem you’d be addressing by doing this. What’s wrong with requiring a new login?

Josh, Sure you could make the expiration value fairly short. But if you make it too short, you won’t be able to do anything since you’ll always have to be logging in. And yes, it is a universal setting for all users. You could replace the code (I wonder if it has plugin hooks in WP 3.2) so that admin users are longer than authors. Realistically though, you’re probably better off leaving the login cookie at two weeks. Or maybe adding in additional security, such as limiting IP addresses that can log in, or simply logging what users are doing.